The state of cyber Presentation to Business Forward 28 March 2017

Page 2 The state of cyber

The perfect storm …

1% According to Cisco, only 1% of devices

that could be connected in the world actually is

*http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf

35 days for a new

technology to reach

a critical mass of 50m users

http://blogs.wsj.com/economics/2015/03/20/50-million-users-the-making-of-an-angry-birds-internet-mem

50b Internet-connected “things” by 2020,

including sensors, RFID chips and more* *http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf

Mobile

Social

Cloud computing

Internet of everything

Big data

Eighty-six percent of organizations believe there’s a shortage of skilled cybersecurity professionals. By the year 2020, the deficit of cybersecurity professionals to job opportunities is expected to reach more than 1.5m.* * http://www.nextgov.com/technology-news/tech-insider/2015/08/major-cybersecurity-job-shortage-we-must-act-we-are-war/119370

197+ days Average amount of time an attacker is on a corporate

environment before detection http://www.securityweek.com/attackers-dodge-detection-retailers-networks-

average-197-days-study

Page 3 The state of cyber

Evolution of the cyber threat

Unsophisticated attackers (script kiddies) You are attacked because you are on the internet and have a vulnerability — you represent a challenge

Sophisticated attackers (hackers) You are attacked because you are on the internet and have information of value — or they have a reason for disrupting your business

Corporate espionage (malicious insiders) Your current or former employee seeks financial gain from stealing/selling your IP — or they want to cause disruption for other reasons

State-sponsored attacks Advanced persistent threat (APT) You are targeted because of who you are or what you do or the value of your intellectual property

Ris

k

Attacker resources and sophistication

►  Revenge ►  Personal gain ►  Stock price

manipulation

Organized crime (criminal networks) You are attacked because you have information of value — for them to sell, to use as blackmail or to hold for ransom

Scrip

t ki

ddie

s H

acke

rs

Mal

icio

us

insi

ders

C

rimin

al

netw

orks

A

PT

►  Amusement ►  Experimentation ►  Nuisance or

notoriety

►  State-sponsored espionage

►  Market manipulation ►  Competitive advantage ►  Military/political

objectives

Any information of potential value to sell or use for extortion/ ransom: ►  Cash ►  Credit cards ►  Identities ►  Inside information ►  IP

Manipulation of systems

►  Industrial espionage and competitive advantage

►  Money ►  Embarrassment ►  Political/social/

environmental causes

Mainframes Evolution of the attack surface Mobile/cloud

Centralized business data model Distributed business data model

There are two types of companies: those that have been breached, and those that don’t know it yet.

Intelligence gathering

Date exfiltration

Initial exploitation

Command and control

Privilege escalation

APT life cycle

Page 4 The state of cyber

Being attacked is unavoidable — be prepared

Do you know what you have that others may want?

Do you know how your business plans could make these assets more vulnerable?

Do you understand how these assets could be accessed or disrupted?

Would you know if you were being attacked and if the assets have been compromised?

Do you have a plan to react to an attack and minimize the harm caused?

Valued assets

Intellectual property

People information

Financial information

Business information

5

4

3

2

1 Would you know if an attacker was able to gain access to your most valuable information?

Page 5 The state of cyber

Your checklist — know where you are in maturity

Activate Adapt Anticipate

Page 6 The state of cyber

EY’s cybersecurity locations

In 2017, EY was named one of the top five Global cybersecurity companies. Source: http://cybersecurityventures.com/cybersecurity-500/

Number of countries

150

Cybersecurity practitioners globally

3,000

Our cyber talent ecosystem includes people from Technology Industry Law enforcement Government Military

Page 7 The state of cyber

Education Florida Institute of Technology MS Management — Information Systems Concentration

Boston University BS Computer-Systems Engineering

Certifications CISA CISSP Electronic Records Management Specialist

Industry lines Financial services Oil and gas Chemical manufacturing Defense Technology

Background

Anil Markose is a principal with Ernst & Young LLP’s National Cyber Security practice and is based in New York City, focusing on the financial services sector. Anil has more than 15 years in the security space focused on helping organizations to manage IT risks and improve their information security capabilities.

Anil currently leads the Cyber Threat Management Service of our Financial Services Information Security practice in the Americas. This team advises EY’s financial sector clients on threat intelligence, attack and penetration, security monitoring, incident response, strategic countermeasure planning and vulnerability management. In addition to his experience with EY, Anil was part of the consulting leadership of Mandiant, one of the most recognized incident response firms.

Anil is a thought leader in the areas of security operations and in the use of analytics in dealing with big data issues in the information security space. His focus areas are in the development of next-generation security operations centers and in helping clients develop security strategies for their specific industry and threat profile.

Anil has been a guest speaker to numerous trade organizations and conferences, including the Information Systems Audit and Control Association, Institute of Internal Auditors, American Petroleum Institute’s Cyber Security Conference and, for multiple years, at McAfee’s FOCUS International Security Conference.

Prior to joining EY, Anil was a Captain in the United States Air Force, specializing in security operations, incident response and tactical communications. He is a veteran with two combat tours to Iraq in support of Operation Iraqi Freedom.

Anil Markose Principal

Cyber Threat Management Leader — Financial Services Email: anil.markose@ey.com

EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2017 Ernst & Young LLP. All Rights Reserved. 1703-2209829 ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com